api bpf integration tutorial

Programmable Filter

“Programmable filter” (BPF) may be used to create custom countermeasures if the existing ones are not sufficient.

Writing programs requires basic programming skills, but allows to solve complex tasks quickly:

  • Protection for applications and protocols that are not supported yet. There’s no need to contact developers and wait for the next release if one understand how an application works and how to protect its traffic.

  • More complex filters than the ACL and REX countermeasures allow. For example one can analyze TCP and IP options, any combinations of packet parameters, headers and payloads either simultaneously or in a sequence.

  • Experimental protection methods and mitigation of specific attacks.
    MITIGATOR allows to modify the program on the fly, adding new logic during an attack or as you gain deeper understanding of the protocol.

Source code samples.

Programmable filter provides:

  • Speed. Program performance comparable to built-in countermeasures.

  • Security as an integral property.

    • MITIGATOR checks uploaded code for validity. Even if an error occurs, it won’t crash MITIGATOR or cause it to hang.

    • You can delegate program writing and uploading to service clients.
      Each protection policy can have its own program, which, however, cannot harm MITIGATOR or other clients.

  • Simplicity: convenient API for common packet operations.

  • Standard EBPF format allows using conventional compilers, IDEs, and programming expertise.

Info

Programs for MITIGATOR are not compatible with XDP and tc (EBPF in the Linux kernel).
See the reference guide for details.